[RFC,v14,16/19] ipe: enable support for fs-verity as a trust provider

Message ID	1709768084-22539-17-git-send-email-wufan@linux.microsoft.com (mailing list archive)
State	New
Headers	show Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E70553611B; Wed, 6 Mar 2024 23:34:56 +0000 (UTC) From: Fan Wu <wufan@linux.microsoft.com> To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Fan Wu <wufan@linux.microsoft.com>, Deven Bowers <deven.desai@linux.microsoft.com> Subject: [RFC PATCH v14 16/19] ipe: enable support for fs-verity as a trust provider Date: Wed, 6 Mar 2024 15:34:41 -0800 Message-Id: <1709768084-22539-17-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com> References: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com> Precedence: bulk
Series	Integrity Policy Enforcement LSM (IPE) \| expand [RFC,v14,00/19] Integrity Policy Enforcement LSM (IPE) [RFC,v14,01/19] security: add ipe lsm [RFC,v14,02/19] ipe: add policy parser [RFC,v14,03/19] ipe: add evaluation loop [RFC,v14,04/19] ipe: add LSM hooks on execution and kernel read [RFC,v14,05/19] initramfs\|security: Add a security hook to do_populate_rootfs() [RFC,v14,06/19] ipe: introduce 'boot_verified' as a trust provider [RFC,v14,07/19] security: add new securityfs delete function [RFC,v14,08/19] ipe: add userspace interface [RFC,v14,09/19] uapi\|audit\|ipe: add ipe auditing support [RFC,v14,10/19] ipe: add permissive toggle [RFC,v14,11/19] block\|security: add LSM blob to block_device [RFC,v14,12/19] dm: add finalize hook to target_type [RFC,v14,13/19] dm verity: consume root hash digest and signature data via LSM hook [RFC,v14,14/19] ipe: add support for dm-verity as a trust provider [RFC,v14,15/19] fsverity: consume builtin signature via LSM hook [RFC,v14,16/19] ipe: enable support for fs-verity as a trust provider [RFC,v14,17/19] scripts: add boot policy generation program [RFC,v14,18/19] ipe: kunit test for parser [RFC,v14,19/19] documentation: add ipe documentation

diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 7afb1ce0cb99..e0b895d1a51f 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -30,6 +30,19 @@ config IPE_PROP_DM_VERITY that was mounted with a signed root-hash or the volume's root hash matches the supplied value in the policy. + If unsure, answer Y. + +config IPE_PROP_FS_VERITY + bool "Enable property for fs-verity files" + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES + help + This option enables the usage of properties "fsverity_signature" + and "fsverity_digest". These properties evaluates to TRUE when + a file is fsverity enabled and with a signed digest or its + digest matches the supplied value in the policy. + + if unsure, answer Y. + endmenu endif diff --git a/security/ipe/audit.c b/security/ipe/audit.c index 3acbfecc9f43..f508944a3ed1 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -53,6 +53,9 @@ static const char *const audit_prop_names[__IPE_PROP_MAX] = { "dmverity_roothash=", "dmverity_signature=FALSE", "dmverity_signature=TRUE", + "fsverity_digest=", + "fsverity_signature=FALSE", + "fsverity_signature=TRUE", }; /** @@ -66,6 +69,17 @@ static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh) ipe_digest_audit(ab, rh); } +/** + * audit_fsv_digest - audit the digest of a fsverity_digest property. + * @ab: Supplies a pointer to the audit_buffer to append to. + * @d: Supplies a pointer to the digest structure. + */ +static void audit_fsv_digest(struct audit_buffer *ab, const void *d) +{ + audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]); + ipe_digest_audit(ab, d); +} + /** * audit_rule - audit an IPE policy rule approximation. * @ab: Supplies a pointer to the audit_buffer to append to. @@ -82,6 +96,9 @@ static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r) case IPE_PROP_DMV_ROOTHASH: audit_dmv_roothash(ab, ptr->value); break; + case IPE_PROP_FSV_DIGEST: + audit_fsv_digest(ab, ptr->value); + break; default: audit_log_format(ab, "%s", audit_prop_names[ptr->type]); break; diff --git a/security/ipe/eval.c b/security/ipe/eval.c index 8dcf7809c9fc..8cb8c64221e0 100644 --- a/security/ipe/eval.c +++ b/security/ipe/eval.c @@ -10,6 +10,7 @@ #include <linux/sched.h> #include <linux/rcupdate.h> #include <linux/moduleparam.h> +#include <linux/fsverity.h> #include "ipe.h" #include "eval.h" @@ -51,6 +52,23 @@ static void build_ipe_bdev_ctx(struct ipe_eval_ctx *ctx, const struct inode *con } #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +/** + * build_ipe_inode_ctx - Build inode fields of an evaluation context. + * @ctx: Supplies a pointer to the context to be populated. + * @ino: Supplies the inode struct of the file triggered IPE event. + */ +static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) +{ + ctx->ino = ino; + ctx->ipe_inode = ipe_inode(ctx->ino); +} +#else +static void build_ipe_inode_ctx(struct ipe_eval_ctx *ctx, const struct inode *const ino) +{ +} +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + /** * build_eval_ctx - Build an evaluation context. * @ctx: Supplies a pointer to the context to be populated. @@ -63,13 +81,17 @@ void build_eval_ctx(struct ipe_eval_ctx *ctx, enum ipe_op_type op, enum ipe_hook_type hook) { + struct inode *ino; + ctx->file = file; ctx->op = op; ctx->hook = hook; if (file) { build_ipe_sb_ctx(ctx, file); - build_ipe_bdev_ctx(ctx, d_real_inode(file->f_path.dentry)); + ino = d_real_inode(file->f_path.dentry); + build_ipe_bdev_ctx(ctx, ino); + build_ipe_inode_ctx(ctx, ino); } } @@ -148,6 +170,84 @@ static bool evaluate_dmv_sig_true(const struct ipe_eval_ctx *const ctx) } #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +/** + * evaluate_fsv_digest - Analyze @ctx against a fsv digest property. + * @ctx: Supplies a pointer to the context being evaluated. + * @p: Supplies a pointer to the property being evaluated. + * + * Return: + * * true - The current @ctx match the @p + * * false - The current @ctx doesn't match the @p + */ +static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, + struct ipe_prop *p) +{ + enum hash_algo alg; + u8 digest[FS_VERITY_MAX_DIGEST_SIZE]; + struct digest_info info; + + if (!ctx->ino) + return false; + if (!fsverity_get_digest((struct inode *)ctx->ino, + digest, + NULL, + &alg)) + return false; + + info.alg = hash_algo_name[alg]; + info.digest = digest; + info.digest_len = hash_digest_size[alg]; + + return ipe_digest_eval(p->value, &info); +} + +/** + * evaluate_fsv_sig_false - Analyze @ctx against a fsv sig false property. + * @ctx: Supplies a pointer to the context being evaluated. + * + * Return: + * * true - The current @ctx match the property + * * false - The current @ctx doesn't match the property + */ +static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) +{ + return !ctx->ino || + !IS_VERITY(ctx->ino) || + !ctx->ipe_inode || + !ctx->ipe_inode->fs_verity_signed; +} + +/** + * evaluate_fsv_sig_true - Analyze @ctx against a fsv sig true property. + * @ctx: Supplies a pointer to the context being evaluated. + * + * Return: + * * true - The current @ctx match the property + * * false - The current @ctx doesn't match the property + */ +static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) +{ + return !evaluate_fsv_sig_false(ctx); +} +#else +static bool evaluate_fsv_digest(const struct ipe_eval_ctx *const ctx, + struct ipe_prop *p) +{ + return false; +} + +static bool evaluate_fsv_sig_false(const struct ipe_eval_ctx *const ctx) +{ + return false; +} + +static bool evaluate_fsv_sig_true(const struct ipe_eval_ctx *const ctx) +{ + return false; +} +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + /** * evaluate_property - Analyze @ctx against a property. * @ctx: Supplies a pointer to the context to be evaluated. @@ -171,6 +271,12 @@ static bool evaluate_property(const struct ipe_eval_ctx *const ctx, return evaluate_dmv_sig_false(ctx); case IPE_PROP_DMV_SIG_TRUE: return evaluate_dmv_sig_true(ctx); + case IPE_PROP_FSV_DIGEST: + return evaluate_fsv_digest(ctx, p); + case IPE_PROP_FSV_SIG_FALSE: + return evaluate_fsv_sig_false(ctx); + case IPE_PROP_FSV_SIG_TRUE: + return evaluate_fsv_sig_true(ctx); default: return false; } diff --git a/security/ipe/eval.h b/security/ipe/eval.h index 494c0754f512..73ac905dc97d 100644 --- a/security/ipe/eval.h +++ b/security/ipe/eval.h @@ -29,6 +29,12 @@ struct ipe_bdev { }; #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +struct ipe_inode { + bool fs_verity_signed; +}; +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + struct ipe_eval_ctx { enum ipe_op_type op; enum ipe_hook_type hook; @@ -38,6 +44,10 @@ struct ipe_eval_ctx { #ifdef CONFIG_IPE_PROP_DM_VERITY const struct ipe_bdev *ipe_bdev; #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY + const struct inode *ino; + const struct ipe_inode *ipe_inode; +#endif /* CONFIG_IPE_PROP_FS_VERITY */ }; enum ipe_match { diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index f5190a1347a6..ca1573ff21b7 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -254,3 +254,33 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, return -EOPNOTSUPP; } #endif /* CONFIG_IPE_PROP_DM_VERITY */ + +#ifdef CONFIG_IPE_PROP_FS_VERITY +/** + * ipe_inode_setsecurity - Sets fields of a inode security blob from @key. + * @inode: The inode to source the security blob from. + * @name: The name representing the information to be stored. + * @value: The value to be stored. + * @size: The size of @value. + * @flags: unused + * + * Saves fsverity signature & digest into inode security blob + * + * Return: + * * 0 - OK + * * !0 - Error + */ +int ipe_inode_setsecurity(struct inode *inode, const char *name, + const void *value, size_t size, + int flags) +{ + struct ipe_inode *inode_sec = ipe_inode(inode); + + if (!strcmp(name, FS_VERITY_INODE_SEC_NAME)) { + inode_sec->fs_verity_signed = size > 0 && value; + return 0; + } + + return -EOPNOTSUPP; +} +#endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY */ diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index 26a58cbcc276..96a5295d8303 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -9,6 +9,7 @@ #include <linux/binfmts.h> #include <linux/security.h> #include <linux/blk_types.h> +#include <linux/fsverity.h> enum ipe_hook_type { IPE_HOOK_BPRM_CHECK = 0, @@ -43,4 +44,10 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, const void *value, size_t len); #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +int ipe_inode_setsecurity(struct inode *inode, const char *name, + const void *value, size_t size, + int flags); +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + #endif /* _IPE_HOOKS_H */ diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index a62b9dc0c8f6..598333d3ef14 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -16,6 +16,9 @@ static struct lsm_blob_sizes ipe_blobs __ro_after_init = { #ifdef CONFIG_IPE_PROP_DM_VERITY .lbs_bdev = sizeof(struct ipe_bdev), #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY + .lbs_inode = sizeof(struct ipe_inode), +#endif /* CONFIG_IPE_PROP_FS_VERITY */ }; static const struct lsm_id ipe_lsmid = { @@ -35,6 +38,13 @@ struct ipe_bdev *ipe_bdev(struct block_device *b) } #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +struct ipe_inode *ipe_inode(const struct inode *inode) +{ + return inode->i_security + ipe_blobs.lbs_inode; +} +#endif /* CONFIG_IPE_PROP_FS_VERITY */ + static struct security_hook_list ipe_hooks[] __ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security), LSM_HOOK_INIT(mmap_file, ipe_mmap_file), @@ -46,6 +56,9 @@ static struct security_hook_list ipe_hooks[] __ro_after_init = { LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security), LSM_HOOK_INIT(bdev_setsecurity, ipe_bdev_setsecurity), #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY + LSM_HOOK_INIT(inode_setsecurity, ipe_inode_setsecurity), +#endif /* CONFIG_IPE_PROP_FS_VERITY */ }; /** diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h index 64626702b689..57d3fc22fe10 100644 --- a/security/ipe/ipe.h +++ b/security/ipe/ipe.h @@ -19,5 +19,8 @@ extern bool ipe_enabled; #ifdef CONFIG_IPE_PROP_DM_VERITY struct ipe_bdev *ipe_bdev(struct block_device *b); #endif /* CONFIG_IPE_PROP_DM_VERITY */ +#ifdef CONFIG_IPE_PROP_FS_VERITY +struct ipe_inode *ipe_inode(const struct inode *inode); +#endif /* CONFIG_IPE_PROP_FS_VERITY */ #endif /* _IPE_H */ diff --git a/security/ipe/policy.h b/security/ipe/policy.h index 35629e9699f7..ae6264874fd3 100644 --- a/security/ipe/policy.h +++ b/security/ipe/policy.h @@ -36,6 +36,9 @@ enum ipe_prop_type { IPE_PROP_DMV_ROOTHASH, IPE_PROP_DMV_SIG_FALSE, IPE_PROP_DMV_SIG_TRUE, + IPE_PROP_FSV_DIGEST, + IPE_PROP_FSV_SIG_FALSE, + IPE_PROP_FSV_SIG_TRUE, __IPE_PROP_MAX }; diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c index 802e31f14b22..48dc11739072 100644 --- a/security/ipe/policy_parser.c +++ b/security/ipe/policy_parser.c @@ -273,6 +273,9 @@ static const match_table_t property_tokens = { {IPE_PROP_DMV_ROOTHASH, "dmverity_roothash=%s"}, {IPE_PROP_DMV_SIG_FALSE, "dmverity_signature=FALSE"}, {IPE_PROP_DMV_SIG_TRUE, "dmverity_signature=TRUE"}, + {IPE_PROP_FSV_DIGEST, "fsverity_digest=%s"}, + {IPE_PROP_FSV_SIG_FALSE, "fsverity_signature=FALSE"}, + {IPE_PROP_FSV_SIG_TRUE, "fsverity_signature=TRUE"}, {IPE_PROP_INVALID, NULL} }; @@ -302,6 +305,7 @@ static int parse_property(char *t, struct ipe_rule *r) switch (token) { case IPE_PROP_DMV_ROOTHASH: + case IPE_PROP_FSV_DIGEST: dup = match_strdup(&args[0]); if (!dup) { rc = -ENOMEM; @@ -317,6 +321,8 @@ static int parse_property(char *t, struct ipe_rule *r) case IPE_PROP_BOOT_VERIFIED_TRUE: case IPE_PROP_DMV_SIG_FALSE: case IPE_PROP_DMV_SIG_TRUE: + case IPE_PROP_FSV_SIG_FALSE: + case IPE_PROP_FSV_SIG_TRUE: p->type = token; break; default:

[RFC,v14,16/19] ipe: enable support for fs-verity as a trust provider

Commit Message

Comments

Patch